Most cyberattacks are caused by a common vulnerability – compromised credentials.
In fact, the 2021 Data Breach Investigations Report (DBIR) shows that 61% of all breaches involve malicious actors gaining unauthorised, privileged access to data by using a compromised credential. Unfortunately, it is often too late when the misuse of a credential is detected.
Is Jane Doe in your payroll system the same user as JaneD in your CRM software, and is it the same JDoe in that SaaS application? Should this person have access to all these resources and applications? If Jane has multiple accounts and is among tens, hundreds, or thousands of other employees, how can we detect if they have been hacked by a cyber-criminal who would now have access to critical company information?
What is identity sprawl, and why does it matter?
Identity sprawl occurs due to a combination of 3 primary reasons:
1) Increase in the number of users, including internal, external and customers.
2) Increase in the number of machine identities, such as IoT and digital workers (RPA), to automate various tasks.
3) Ever-expanding number of accounts that exist across a multi-generational hybrid IT environment, with expanding cloud and SaaS platforms.
According to the Identities and Security in 2021 report, the typical employee has around 25 accounts. Furthermore, 36% of surveyed companies in the ANZ region have stated that the number of identities in their organisation has significantly increased (five to ten times more).
95% of security professionals reported challenges in managing identities, while 8 out of 10 have reported that the identities they manage have more than doubled, and 25% reported a 10X increase in digital identities during the same period.
The attack surface also increases with identity sprawl as the identities are granted accounts, access and privilege across the network and applications, spread throughout the hybrid IT environment, making it easier for lateral movement for an attacker.
When we look at the risk of an attack from a compromised credential on a risk heatmap, whilst the consequence (X-axis) of an attack has always been considered critical, over the past 10 years, we've seen the likelihood (Y-axis) of an attack has increased to likely and almost certain levels. Identity sprawl has been one of the contributing factors to the increased likelihood of this risk, and an identity strategy can be used to mitigate the risk and lower the likelihood of reducing the risk.
What causes identity sprawl?
In part, we can attribute identity sprawl to the fact that the traditional perimeters of a business no longer apply in today's world.
Employees can work remotely and are not confined to a central office location, team restructures are common in the era of the Great Resignation, and the use of external contractors, suppliers and partners is increasingly common.
Each person entering and exiting a business is granted the keys to its applications and data.
When we look at Australia's largest employers, some of which have upwards of 200,000 staff, we can see that each business could be managing millions of accounts, making it all but impossible to keep track of who can access what.
Additional factors, such as digital transformation, expansion into cloud and SaaS platforms, and increased use of machine and bot identities, further complicates the situation with keeping track across all different identity types across all the platforms.
The more people granted the keys to a business's data, the more entry points available to cyber attackers looking to gain access to its most valuable resources. To strengthen security and prevent perimeter breaches, organisations need to address identity sprawl.
What can be done?
An identity strategy is crucial to help close the security gap caused by identity sprawl. This involves a three-step approach to understanding and addressing the problem and future-proofing your business for ongoing personnel and identity growth.
Intelligent platforms can unify and centrally correlate identity data into a secure fabric structure that ensures administrators have visibility over all identities, accounts and entitlements across an organisation. This immediately provides organisations with visibility.
Once identities are unified, businesses should continuously authenticate, authorise, and validate accounts before granting access to platforms to ensure users are only accessing what they need to, when they need to, and for a period that is logical and does not pose a risk to security. This is a crucial step that also helps towards implementing principles of Zero Trust, including least-privilege access models and Just-In-Time access.
The cybersecurity landscape is ever-changing, and new vulnerabilities are always being discovered. Business leaders and IT and security professionals alike must stay aware of the risks posed by identities being stolen, shared, or inappropriately used for malicious attacks. This begins with an inside-out approach to security practices.
Identity sprawl is a critical obstacle that businesses are challenged to overcome, and it's making them extremely vulnerable to attackers. With a committed effort to control identity sprawl, as well as utilisation of a unified approach towards the problem, businesses can reduce cybersecurity risks and instead position identity management as a security strength.
There are various methods, technologies, and processes to implement these three steps. However, it is crucial that all the identity security components cooperate and work together as a unified solution. A unified platform approach where identity data such as risk profiles, access, entitlements, and usage, is shared across authentication (IAM), identity governance (IGA) and privileged access (PAM) will be a crucial in not only taming identity sprawl but also allow you to maximise impact over time.